The security of a data communication is an important consideration in modern computing systems. If a data communication is insecure, a malicious entity may be able to intercept and use the included data in malicious ways. One manner of securing a data communication includes data encryption. However, some encryption schemes allow for malicious entities to determine the encryption key being used and decrypt any intercepted data communication that was encrypted using that key. For example, if one end-point communicates, to the other end-point, a public encryption key that will be used to encrypt a data communication, a malicious entity using a man-in-the-middle attack can intercept the transmission of the public encryption key. Thereafter, the malicious entity can intercept the data communication, substitute their public encryption key, manipulate the unencrypted data (e.g., inject some malicious code), re-encrypt the manipulated data using the public encryption key, and send the re-encrypted data on to its destination end-point. Both end-points may be unaware that the malicious entity performed this process.
There are other, more secure methods, of protecting a data transmission and some of these methods may protect against the man-in-the-middle attack described above. For example, a trusted third party, which is trusted by both end-points, may be used to certify the authenticity of a public key. One common trusted third party is a certificate authority (CA), which issues a digital certificate for securing digital communications. Both end-points may rely on the CA to establish the authenticity of the digital certificate. In a client-server model, the CA issues a digital certificate to the server and clients use the digital certificate to secure connections to the server. One common protocol that uses digital certificates to secure connections is the Transport Layer Security (TLS) protocol.
The use of digital certificates, however, is not without drawbacks. For example, virtual servers have a number of characteristics that make digital certificates more difficult to manage and more expensive than it is for hardware server counterparts. Indeed, the CA may issue a certificate for use during the lifetime of a server. This works well for a conventional hardware server, which may have a lifetime measured in weeks or years. A virtual server, however, may have a lifetime measured in hours or less. Thus, the window of usage for an issued digital certificate is much shorter for a virtual server. A conventional hardware server also may have a local secure location for storing a private key used in connection with the digital certificate. A virtual server, however, may not have a local secure location for storing its private key. Thus, the overall security of a virtual server is lessened. The number of hardware servers in a large server environment can typically be measured in the order of the hundreds. For large virtual server environments, however, there can be thousands of virtual servers. Thus, the sheer number of certificates that need to be managed and/or paid for is much larger.